DNS connectivity problems are quite common, but an increasing number of DNS issues are being caused by surreptitious...
attacks. In this back-and-forth discussion from SearchSecurity.com's IT Knowledge Exchange, learn how an innocent query about a finicky DNS server turned into an investigation of malicious malware.
ITKE member kfettig posed the following question:
There are two users in my office who are suddenly unable to access some Internet sites that they have always been able to access before. I am able to navigate to the sites from other machines in the office with no problems. The two users who are having problems are receiving the "page cannot be displayed" message when they attempt to go to some sites; at the bottom of the error page, it states "DNS error or server cannot be found."
They are able to access other Internet sites with no problems. It's not the sites themselves having problems because I am able to get to them from other computers...I've tried adjusting the security settings in the browsers, but it has not made a difference. Nothing has changed on the network or on the machines; no new software or hardware has been installed. There are no viruses resident on either machine. Please help if you can!
ITKE member ghigbee responded:
A quick test to see if [the problem computers] have cached bad DNS entries would be to ping one of the Web sites from a machine that works and compare the resolved address to the address resolved on a machine that didn't work. If the entries don't match, [perform] ipconfig /flushdns [,a command that resets the contents of the DNS client resolver cache,] and try it again to see if that clears up the issue.
You can also check their hosts file, [a computer file that maps host names to IP addresses], to see if something has placed entries in there. There have been some viruses that write entries to your hosts file.
ITKE member astronomer added:
[Ghigbee] had a good idea about checking the hosts file, but I suggest you use nslookup, [a program used to find a host's corresponding IP address], on both working and non-working systems. Are they getting information from the same DNS server? If the systems are the same, they should get identical information. If they do, and there are still differences, I would suspect redirection or similar malware causes.
Thank you, astronomer. I never thought to compare DNS servers, and sure enough, the machines that weren't working were pointing to a different DNS server. I don't believe that anyone changed those settings. Could malware have done it? I can't tell you how appreciative I am...
astronomer wrote back:
- Learn more about the 'next big vulnerability area': Ajax and cross-site scripting.
- Read all of today's featured ITKE tip, and keep the discussion alive.